MAC Address Table (CAM Table) – Structure, Learning, and Security
1. What Is the MAC Address Table?
The MAC Address Table — also called the CAM table (Content Addressable Memory table) — is the central database a Layer 2 switch maintains to map MAC addresses to the physical port and VLAN on which each device was last seen. Every forwarding decision a switch makes begins with a lookup in this table.
Without the MAC table, a switch would have to flood every frame out every port, behaving exactly like an old hub. By learning and caching MAC-to-port mappings, a switch delivers each frame only to the port where the destination device actually lives, preserving bandwidth and keeping traffic private from uninvolved hosts.
Frame arrives on Port 1, Src MAC = AA:AA:AA:AA:AA:AA
┌────────────────────────────────────────────┐
│ Switch logic │
│ │
│ 1. LEARN → write AA:AA:AA:AA:AA:AA / Port 1 / VLAN 10 │
│ 2. LOOKUP → search Dst MAC in table │
│ Found? → FORWARD to mapped port only │
│ Not found? → FLOOD all ports in VLAN │
└────────────────────────────────────────────┘
Related pages:
MAC Addresses |
Frame Forwarding |
CAM Table |
VLANs |
Port Security |
Spanning Tree Protocol |
show mac address-table |
Sticky MAC & Port Security
2. MAC Address Table Structure
Each row in the MAC address table contains four fields. Every dynamically learned entry also has an invisible aging counter that counts down from the configured aging time:
| Field | Description | Example |
|---|---|---|
| VLAN | The VLAN in which this MAC was learned. Tables are per-VLAN — the same MAC can appear in multiple VLANs mapped to different ports. | 10 |
| MAC Address | The 48-bit hardware address of the device, in Cisco dot notation. | aabb.ccdd.ee01 |
| Type | How the entry was created: DYNAMIC (learned from traffic) or STATIC (manually configured or sticky). | DYNAMIC |
| Ports | The physical interface or port-channel the device was seen on. Trunk ports show as the trunk interface; EtherChannels show as the port-channel. | Fa0/1 |
Table capacity is hardware-limited (typically 8,192–64,000+ entries depending on the switch model). Exceeding this limit causes overflow behaviour described in Section 8.
! Sample show mac address-table output (Cisco IOS)
Switch# show mac address-table
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
10 aabb.ccdd.ee01 DYNAMIC Fa0/1
10 aabb.ccdd.ee02 DYNAMIC Fa0/2
20 aabb.ccdd.ff01 STATIC Fa0/3
10 aabb.ccdd.ee03 DYNAMIC Po1 ! EtherChannel uplink
Total Mac Addresses for this criterion: 4
3. How the Switch Learns MAC Addresses
MAC learning is entirely source-driven: the switch never actively queries devices. Every frame that arrives on any port teaches the switch one mapping — where the sender lives. The process runs in hardware at line rate:
- Frame arrives on Port Fa0/1 with source MAC
AA:AA:AA:AA:AA:AA, VLAN 10. - Switch checks whether
AA:AA:AA:AA:AA:AA/ VLAN 10 already exists in the table. - Not present: write new entry (MAC, port, VLAN, type = DYNAMIC) and reset its aging timer.
- Present, same port: refresh the aging timer only.
- Present, different port: overwrite the port — the device has moved or a loop is creating duplicate traffic (MAC flapping).
- Switch then looks up the destination MAC to decide whether to forward or flood.
What is never learned: broadcast frames (FF:FF:FF:FF:FF:FF)
and multicast frames are never written into the MAC table as
destinations — they are always flooded. However,
the source MAC of the device that sent the broadcast
is learned normally.
4. Dynamic vs. Static MAC Entries
| Aspect | Dynamic | Static | Sticky |
|---|---|---|---|
| How created | Automatically from incoming traffic | Manually by administrator | Dynamically learned, then promoted to static by port-security sticky |
| Ages out? | Yes — removed after aging timer expires | No — permanent until manually deleted | No — saved to running-config (and startup-config if written) |
| Survives reboot? | No | Yes | Yes (if copy run start was run) |
| Shown as | DYNAMIC |
STATIC |
STATIC (port-security subtype) |
| Typical use | All standard hosts and devices | Critical servers, printers, security cameras | Access ports where device identity must be locked after first connection |
! Configure a static MAC entry
Switch(config)# mac address-table static aabb.ccdd.ee01 vlan 10 interface fastEthernet 0/1
! Remove it
Switch(config)# no mac address-table static aabb.ccdd.ee01 vlan 10 interface fastEthernet 0/1
5. Aging Timer
Every dynamic entry has an aging timer. Each time a frame arrives from that MAC address, the timer is reset to the full aging value. If no frame is received before the timer expires, the entry is deleted. The next frame from or to that MAC will trigger a flood until the MAC is re-learned.
| Setting | Effect | Trade-off |
|---|---|---|
| Default (300 s) | Entries persist for 5 minutes of inactivity | Good balance for most networks |
| Shorter (e.g., 60 s) | Stale entries removed faster | More flooding in environments with intermittent devices (VoIP, IoT) |
| Longer (e.g., 600 s) | Fewer floods for quiet devices | Stale entries linger if a device disconnects or moves ports |
| 0 (disabled) | Entries never age out automatically | Table fills up over time; not recommended on busy access switches |
! View current aging time
Switch# show mac address-table aging-time
! Change aging time to 600 seconds (global)
Switch(config)# mac address-table aging-time 600
! Change aging time for a specific VLAN only
Switch(config)# mac address-table aging-time 120 vlan 10
6. MAC Table Lookup and Frame Forwarding
After learning, every frame's forwarding decision follows this exact sequence:
| Destination MAC | Found in Table? | Switch Action |
|---|---|---|
| Known unicast | Yes — same VLAN | Forward out the single mapped port only |
| Unknown unicast | No entry exists | Flood out all ports in the VLAN except the source port |
Broadcast (FF:FF:FF:FF:FF:FF) |
Never in table | Flood — always, regardless of table state |
| Multicast | Not in standard table (unless IGMP snooping) | Flood by default; selective forward if IGMP snooping is enabled |
| Known unicast, STP-blocked port | Yes, but egress port is blocked | Drop — STP-blocked ports do not forward data frames |
See also: Frame Forwarding in Detail
7. VLANs and the MAC Address Table
The MAC table is per-VLAN: each VLAN maintains its own separate namespace. See: VLANs Overview. This means:
- The same MAC address can appear in multiple VLAN entries, each mapped to a different port — for example, a router sub-interface or a VM with the same NIC on two VLANs.
- A frame in VLAN 10 will never match an entry learned in VLAN 20, even if the MAC address is identical. This prevents inter-VLAN frame leakage at Layer 2.
- On trunk ports, the switch learns the MAC and the VLAN tag from the 802.1Q header, storing both in the entry.
! Filter MAC table output by VLAN
Switch# show mac address-table vlan 10
! Filter by a specific MAC address
Switch# show mac address-table address aabb.ccdd.ee01
! Filter by interface
Switch# show mac address-table interface fastEthernet 0/1
! Show only dynamic entries
Switch# show mac address-table dynamic
! Show entry count
Switch# show mac address-table count
8. MAC Address Table Overflow – The Flooding Attack
The CAM table has a finite hardware capacity. When it is full, the switch cannot store new dynamic entries. Any frame whose destination MAC is not already in the table will be flooded to all ports in the VLAN — the switch effectively degrades to hub behaviour for those destinations.
Attackers exploit this deliberately with a MAC flooding attack:
a tool such as macof sends tens of thousands of frames
per second with randomised source MACs, filling the table with fake
entries. Once the table overflows, legitimate unicast traffic is
flooded everywhere, allowing the attacker to capture traffic destined
for other hosts using a packet sniffer.
| Phase | What Happens | Impact |
|---|---|---|
| Normal operation | Table has space; all MACs learned and forwarded unicast | Efficient, private forwarding |
| Table filling | Attacker sends frames with fake source MACs; table entries consumed rapidly | Legitimate entries begin aging out; new legitimate MACs cannot be stored |
| Table full (overflow) | Switch floods all unknown-destination unicast traffic to every port in the VLAN | All hosts see all traffic — attacker can eavesdrop; network slows under flood load |
Primary defence: Port Security — limit the number of MAC addresses per port so a single port cannot flood the table with thousands of fake entries. See also: DHCP Snooping | Dynamic ARP Inspection
9. MAC Flapping
MAC flapping occurs when the switch sees the same source MAC address arriving on two or more different ports in rapid succession, causing the MAC table entry to oscillate between ports. The switch logs a warning message each time it overwrites the port mapping.
| Root Cause | Detail |
|---|---|
| Layer 2 loop | A frame circulates continuously; the switch sees the same source MAC arriving on multiple ports in sequence — the most common cause. Check STP. |
| Duplicate MAC address | Two devices (or VMs) share the same MAC — rare with physical NICs, but possible with misconfigured hypervisors. |
| Device moving ports rapidly | A laptop or device reconnecting repeatedly in a short window triggers flap messages even without a loop. |
| Spoofing / MITM attack | Attacker sends frames with a victim's source MAC from a different port to redirect traffic to themselves. |
! Detect MAC flapping in syslog
%SW_MATM-4-MACFLAP_NOTIF: Host aabb.ccdd.ee01 in vlan 10 is flapping
between port Fa0/1 and port Fa0/3
! Investigate with
Switch# show mac address-table address aabb.ccdd.ee01
Switch# show spanning-tree vlan 10
Switch# show interfaces status
10. Port Security – Protecting the MAC Table
Port Security restricts which and how many MAC addresses are permitted on an access port, defending against MAC flooding attacks and unauthorised device connections.
| Feature | Description |
|---|---|
| Maximum MACs | Limits the number of source MACs a port will accept (default: 1). Any frame from a MAC beyond the limit triggers the violation action. |
| Sticky MAC | First MAC(s) learned on the port are automatically saved as static entries in running-config. Survives reboot if saved. Combines the convenience of dynamic learning with the permanence of static. |
| Violation: Shutdown | Port placed in err-disabled state. No traffic passes. SNMP trap and syslog generated. Requires manual shutdown / no shutdown or errdisable recovery to restore. |
| Violation: Restrict | Violating frames dropped silently. Port stays up. Counter incremented. Syslog message generated. |
| Violation: Protect | Violating frames dropped silently. Port stays up. No log or counter increment. Hardest to detect. |
! Full port-security configuration example
interface FastEthernet0/1
switchport mode access
switchport access vlan 10
switchport port-security ! Enable port security
switchport port-security maximum 2 ! Allow up to 2 MACs
switchport port-security mac-address sticky ! Learn and lock MACs
switchport port-security violation shutdown ! Err-disable on violation
! Check port security status
Switch# show port-security interface fastEthernet 0/1
Switch# show port-security address
! Recover an err-disabled port manually
Switch(config-if)# shutdown
Switch(config-if)# no shutdown
! Or configure automatic recovery
Switch(config)# errdisable recovery cause psecure-violation
Switch(config)# errdisable recovery interval 300
See also: Sticky MAC & Port Security | Port Security Violation Modes | Step-by-Step: Port Security & Sticky MAC
11. MAC Address Table in Multi-Switch Environments
In a campus network with multiple interconnected switches, each switch maintains its own independent MAC address table. Entries are learned locally as traffic flows across inter-switch links.
| Feature | Effect on MAC Table |
|---|---|
| Trunk ports (802.1Q) | MACs from remote hosts are learned against the trunk port interface, tagged with the correct VLAN (see VLAN Tagging 802.1Q). Each switch learns only that the host is reachable via its trunk — not which specific port on the remote switch. |
| Spanning Tree Protocol (STP) | Blocked ports do not forward data frames, so MACs behind a blocked port are not learned via that path. When STP converges and ports transition to forwarding, MAC tables are quickly re-populated from traffic. |
| EtherChannel (LACP/PAgP) | Multiple physical links appear as a single logical port-channel. MAC entries map to the port-channel interface (Po1), not individual member links. Load balancing distributes frames across members. |
| Rapid STP (RSTP) port transitions | When an edge port transitions to forwarding, it sends a TCN (Topology Change Notification), causing other switches to flush their MAC tables and re-learn paths quickly. |
See also: Access & Trunk Ports | EtherChannel | STP Port Roles
12. Verification and Troubleshooting Commands
| Command | Purpose | Key Output to Check |
|---|---|---|
show mac address-table |
Full MAC table dump | Verify MACs, ports, VLANs, and types; check for unexpected entries |
show mac address-table dynamic |
Dynamically learned entries only | How many entries has the switch learned from traffic? |
show mac address-table vlan 10 |
Filter by VLAN | Isolate entries to a specific broadcast domain |
show mac address-table address aabb.ccdd.ee01 |
Filter by specific MAC | Find which port and VLAN a device is on |
show mac address-table count |
Entry count per VLAN and total | Watch for table near capacity; investigate sudden spikes (flooding attack) |
show mac address-table aging-time |
Current aging timer values | Verify global and per-VLAN aging settings |
show interfaces fastEthernet 0/1 |
Port status and counters | Check for input errors, CRC, or err-disabled state |
show port-security interface fa0/1 |
Port security status per interface | Current MACs, max allowed, violation count, violation action, port status |
show spanning-tree vlan 10 |
STP state of all ports in VLAN 10 | Confirm no unexpected blocked/forwarding transitions causing MAC flapping |
clear mac address-table dynamic |
Flush all dynamic entries | Forces re-learning; useful after moving devices or resolving flapping |
Common Troubleshooting Scenarios
| Symptom | Likely Cause | Resolution |
|---|---|---|
| Excessive flooding on all ports | MAC table overflow (flooding attack or too many devices) | Check show mac address-table count; enable port security; investigate for macof-style attack |
| MAC flapping syslog messages | Layer 2 loop, duplicate MAC, or spoofing | Run show spanning-tree; verify STP is converged; check for duplicate MACs on hypervisors |
| Device not reachable but physically connected | MAC not learned; STP blocking; VLAN mismatch | Check show mac address-table; verify access VLAN assignment; check STP port state |
| Port in err-disabled state | Port security violation (Shutdown mode) | Investigate the offending MAC; shutdown / no shutdown to recover; consider errdisable recovery |
| MAC entry on wrong port after device move | Stale dynamic entry; device moved before aging out | clear mac address-table dynamic address <mac> or wait for aging |
See also: Step-by-Step: Troubleshooting Layer 2 VLANs & Trunks | Step-by-Step: MAC Address Table Management
13. Complete Practical Example
Scenario: Three PCs on a switch. PC1 sends a frame to PC2 for the first time.
PC1: MAC aabb.ccdd.0001, VLAN 10, Port Fa0/1
PC2: MAC aabb.ccdd.0002, VLAN 10, Port Fa0/2
PC3: MAC aabb.ccdd.0003, VLAN 10, Port Fa0/3
Initial MAC table: empty
Step 1 — PC1 sends frame to PC2
Src: aabb.ccdd.0001 Dst: aabb.ccdd.0002
Switch learns: aabb.ccdd.0001 → Fa0/1 / VLAN 10 (NEW)
Dst lookup: aabb.ccdd.0002 → not found
Action: FLOOD out Fa0/2 and Fa0/3 (all VLAN 10 ports except Fa0/1)
Step 2 — PC2 replies to PC1
Src: aabb.ccdd.0002 Dst: aabb.ccdd.0001
Switch learns: aabb.ccdd.0002 → Fa0/2 / VLAN 10 (NEW)
Dst lookup: aabb.ccdd.0001 → Fa0/1 (found!)
Action: FORWARD unicast out Fa0/2 only — PC3 sees nothing
MAC table after Step 2:
VLAN MAC Address Type Ports
---- --------------- ------- -----
10 aabb.ccdd.0001 DYNAMIC Fa0/1
10 aabb.ccdd.0002 DYNAMIC Fa0/2
All subsequent PC1 ↔ PC2 frames are forwarded unicast with no flooding.
PC3 never sees this traffic.
14. Key Points & CCNA Exam Tips
- The MAC address table (CAM table) maps MAC + VLAN → port; it is the basis for all Layer 2 forwarding decisions
- Switches learn source MACs from incoming frames — learning is passive and automatic
- Unknown destination unicast, broadcast, and multicast (without IGMP snooping) are all flooded within the VLAN
- The table is per-VLAN — the same MAC can appear in multiple VLANs mapped to different ports without conflict
- Default aging time = 300 seconds; adjustable with
mac address-table aging-time <seconds> [vlan <id>] - Static entries never age out and survive reboots; dynamic entries do not survive reboots
- Sticky MACs are dynamic entries promoted to static by port security; they survive reboots only if
copy run startwas executed - MAC flooding attack: attacker fills the table with fake entries, forcing the switch to flood all traffic (fail-open); mitigate with port security
- MAC flapping = same MAC seen on multiple ports; almost always indicates a Layer 2 loop or STP failure
- Port security violation modes: Shutdown (err-disable port) > Restrict (drop + log) > Protect (drop silently)
- Key show commands:
show mac address-table,show mac address-table count,show port-security - To flush stale entries after moving a device:
clear mac address-table dynamic